CVE-2023-20855

8.8HIGH

Key Information

Vendor: Vmware
Status: VMware vRealize Orchestrator, VMware vRealize Automation, VMware Cloud Foundation
Vendor: CVE Published:; 22 February 2023

Summary

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.

Affected Version(s)

VMware vRealize Orchestrator, VMware vRealize Automation, VMware Cloud Foundation = VMware vRealize Orchestrator 8.x

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Feb 22, 2023
Vulnerability Reserved.
Nov 1, 2022

Collectors

NVD DatabaseMitre Database